Malware Configuration Extraction with VMRay

Explore VMRay’s advanced configuration extraction methods, revealing actionable insights for enhanced threat analysis and cybersecurity.

In the world of malware analysis, the extraction of configuration data plays a pivotal role in unraveling the inner workings of malicious software. VMRay excels in this endeavor, offering a comprehensive approach to configuration extraction.

Three Modes of Presentation

VMRay simplifies the complex task of configuration extraction by presenting the acquired data in three accessible formats:

User Interface Table:

At the forefront of our arsenal is a user-friendly table displayed directly within the VMRay interface. This tabular presentation provides a clear and concise overview of the extracted configuration data.

Integration with VMRay IOC Feature:

Our platform seamlessly feeds the configuration data into VMRay’s IOC (Indicators of Compromise) feature, where it’s skillfully separated from mere artifacts. This feature distinguishes actionable IOCs, empowering analysts to focus on what truly matters in their threat investigations.

Downloadable JSON Files:

For those who prefer a more versatile approach, VMRay allows you to download the configuration data as JSON files. This standardized format ensures compatibility with a wide array of tools and workflows.

A Real-World Example: NanoCore

To illustrate the practicality of VMRay’s configuration extraction capabilities, let’s examine a real-world scenario involving the NanoCore malware family.

Extracted configuration for the malware NanoCore as seen on the analysis overview

Upon analysis, VMRay extracts a wealth of data from a NanoCore sample. This information encompasses both generic and family-specific details, shedding light on the malware’s behavior:

Common Data: VMRay captures crucial information such as the malware’s version, mutex, socket for communication, and timing-related parameters. These insights provide a solid foundation for understanding the malware’s basic functionality.

Family-Specific Attributes: Beyond the generic data, VMRay’s table reveals family-specific characteristics. For instance, it discloses which malicious features are enabled, including actions like executing on system startup, attempting to bypass User Account Control (UAC), clearing the Zone Identifier, preventing system sleep, and redirecting DNS requests to specific servers.

As we progress through this course, the journey continues with a focus on “High-Quality IOC Generation.” In the next chapter, we’ll delve into how VMRay distinguishes genuine IOCs from extraneous artifacts, ensuring that analysts are equipped with precise and actionable insights.

Course Homepage:
Malware Configurations: How to find and use them

Chapter 4: 
Automated generation of high-quality IOCs

Table of Contents

See VMRay in action.
Get a complete and noise-free picture of malware and phishing threats

Further resources


The most advanced malware and phishing sandbox


Explore how you can benefit from VMRay’s capabilities for Threat Hunting


Build the most reliable and actionable Threat Intelligence:

Welcome to the playground.

Explore what you can do with VMRay.

Click on the yellow dots to check the report formats, see the overview, explore the network connections of the sample, malicious behavior, and relevant files, map the threat on MITRE ATT&CK Framework, analyze and download IOCs and artifacts.

The analysis report tabs are available both for VMRayDeepResponse and VMRayTotalInsight. The bundle of VMRay FinalVerdict and VMRayDeepResponse also offers access to the analysis report tabs.

We’re sorry. 

The interactive tour is not available on mobile devices.

Unveiling the power:
See our experts showcasing VMRay’s capabilities.

Analysis of a malicious file

Join Fatih Akar from the VMRay team as he provides a detailed walkthrough of a malicious LNK file, a prevalent attack vector since Microsoft’s Office macros block.

Gain valuable insights into each tab of our comprehensive analysis report and get a sneak peek into what you’ll be exploring.

Analysis of a malicious URL

Join Andrey Voitenko, an expert in advanced malware and phishing analysis from the VMRay team, as he demonstrates how to submit emails and URLs to the VMRay platform using built-in connectors.

Discover the capabilities of our new Automation Dashboard, enabling one-click automation with your existing EDR, SOAR, SIEM, and TIP tools. Monitor analysis data seamlessly from your VMRay dashboard and unlock new levels of efficiency in your security operations.

Integrating with existing tools

Watch Michael Bourton showcasing the seamless integration of VMRay platform with your existing security stacks.

Discover how effortlessly you can leverage unparalleled detection and analysis capabilities by utilizing dedicated connectors or our Rest API.

Experience VMRay in Action:
Explore Real-world Malware Analysis Reports

Get a firsthand look at the power and capabilities of the VMRay platform by delving into our sample malware and phishing analysis reports.

Immerse yourself in a range of report formats, providing comprehensive insights.

Dive into the overview, explore intricate network connections, analyze malicious behavior in detail, and map threats using the MITRE ATT&CK Framework. See the possibilities to download clear IOCs.

Uncover the capabilities that await you.

Calculate how much malware false positives are costing your organization:
Malware False Positive Cost Calculator